Conficker infected critical hospital equipment, expert says

Updated 7:50 a.m. PDT April 24 to specify that the infection was in the U.S.

SAN FRANCISCO--The Conficker worm infected several hundred machines and critical medical equipment in an undisclosed number of U.S. hospitals recently, a security expert said on Thursday in a panel at the RSA security conference.

"It was not widespread, but it raises the awareness of what we would do if there were millions" of computers infected at hospitals or in critical infrastructure locations, Marcus Sachs told CNET News after the session. Sachs is the director of the SANS Internet Storm Center and a former White House cybersecurity official.

It is unclear how the devices, which control things like heart monitors and MRI machines, and the PCs got infected, he said. The computers are older machines running Windows NT and Windows 2000 in a local area network that was not supposed to have access to the Internet, however, the network was connected to one that has direct Internet access and so they were infected, he said.

Conficker spreads via networked computers as well as through removable storage devices and a hole in Windows that Microsoft patched in October, but these machines were too old to be patched, according to Sachs.

In the U.K., PCs at hospitals in Sheffield were found to be infected with Conficker in January, The Register reported.

The situation illustrates the dangers of connecting critical networks, like in hospitals and in SCADA (Supervisory Control and Data Acquisition) systems used by utilities and other critical infrastructure providers, with networks connected to the Internet, he said during the panel "Securing Critical Infrastructures: Infrastructure Exposed."

"We haven't found any nukes yet that are infected with Conficker or that are trying things like Twitter," he quipped. But "that is within the probable as we take shortcuts," he said.

"We're seeing a huge uptick in probing for SCADA systems," said Jerry Dixon, director of analysis and vice president of government relations at research firm Team Cymru. For years, the SCADA systems were separated from the public networks, but that's not the case anymore, he said.

Utilities move to remote access and other Internet-based technologies so workers can have access to the control systems when they are not at the plant and to cut costs, Sachs said. Workers have been known to access control systems using BlackBerrys for no reason other than that they can, he said.

Asked after the panel if cyberattacks had led to any utility outages, Michael Assante, chief security officer of the North American Electrical Reliability Corporation (NERC), said "none in North America."

"There is no evidence of computer compromise that led to a disruption of service," he said. "We're not immune to it; it's not hypothetical."

Government officials maintained that an electricity blackout in 2003 in the northeastern United States was not caused by the Blaster Internet worm that was circulating at the time as was suspected, but officials also were never able to reveal why it happened.

[monkeyfun14]

This is gonna turn into one big ol MS bashing fest.

[Lerianis3]

Most likely, yeah. It shouldn't be an MS bashing fest, considering that a patch was out nearly a YEAR before Conficker even showed up.

[seven7dust]

wats so wrong with that ?
it's partly Microsoft's fault afterall
who cares about patches etc.
when your paying for something you expect it to work and yo don't get that with Microsoft I'm afraid !

[rapier1]

@Seven7Dust,

So is it okay if I get pissed off at Apple when they release security updates and patches for their offerings? I mean, I paid for this mac and I expect it to just work. Why should I have to patch it ever? They must use lousy developers.

[Random_Walk]

Nah - but it does make one wonder at why they have Windows attached to such critical equipment...

Most equipment of this type (I happen to know more than a few biomedical engineers) can't simply be patched due to a lot of factors:

* custom app software that needs to be rigorously tested more than most
* the constant use of the equipment makes downtime far harder to schedule and put to use
* the vendor of the equipment may not allow in-house patching (often enforced by contract) due to the desire/need to have the vendor do the servicing (and charge obscene amounts of cash for doing so).
* The version of Windows used is often the embedded version with a ton of custom drivers, which complicates things a bit more than your typical Dell. ;)

Hope that helps a little, kids.

[Dalkorian]

Deservedly.

[tm_anon]

@Lerianis3

The problem with your argument is that the computers infected were "too old" to be patched. Meaning it doesn't matter if the patch is out or not.

[ikramerica--2008]

If only those heart monitors hadn't navigated to a file sharing site, downloaded a cracked version of iWork, and entered their login password, this never would have happened.

Oh, wait, that lazy equivalency doesn't work when you apply it to the real world.

[Lerianis3]

Actually, most likely someone had Conficker on a USB stick, plugged it into one of the network computers, and it propogated over all the computers in said network!
I am willing to bet 5 million bucks and my balls that this happened like that.

[tm_anon]

Or you could read the article where the reason for the infection was given. I'll quote it for you. "...the network was connected to one that has direct Internet access and so they were infected, he said."

I don't see anything about a USB stick in there, do you?

[Vegaman_Dan]

"in a local area network that was not supposed to have access to the Internet, "

Well, there you go. There's the problem.

[ikramerica--2008]

But how can the radiology tech check his facebook page if his computer's not connected?

[Lerianis3]

Well, that is a big problem, and the question they should be asking: why did a network that wasn't supposed to have access to the internet get this on the computers? Answer: USB key or disc someone brought in, I am willing to bet you 5 million bucks.

[Seaspray0]

The article said it was connected to a network that did have internet access.

[rapier1]

@Lerianis3,
"The computers are older machines running Windows NT and Windows 2000 in a local area network that was not supposed to have access to the Internet, however, the network was connected to one that has direct Internet access and so they were infected, he said."

I'll send you an address for the check and your heuvos.

[pentest]

Not too be snarky, but Windows is not built with Internet access in mind. It is the only possible explanation.

[n3td3v]

Too much generalisation as usual with these scare reports, not enough hard fact and evidence and no name of hospitals.

The security community gets sleepier the more of these reports come out that anyone could make up and nobody is believing.

Hard, facts and evidence or ****.

[ti99_forever]

Yep, our hospital recently had a rash of conficker infections. Not aware of any critical systems, but since they are all on the network, I can't say...
Besides, the definition of critical, in this era of new software to replace paper, has morphed into a "gray area". We commonly get calls from floors unable to get meds for their patients, and a first response I always give is "don't let the computer prevent you from performing your job!".

Apparently, that is not part of the training...

[Lerianis3]

You are forgetting something: if the computer doesn't have in it that the patient had gotten their medicines, the patient might get double or even more dosages! It SHOULD prevent them from doing their jobs until the thing is fixed, unless there is an urgent need to disregard the computerized system.
Anyway, how damn complicated is it..... I worked in a hospital (Johns Hopkins) that was one of the first to go to computerized prescriptions, and it was 'punch in amount of pills, punch in dosage of pills, get doctor to sign off.... DONE!"

Then the pills were delivered in foil covered small trays with the patients name printed on the bottom of the tray, with the bottom facing up!

[zeroplane]

Perhaps this thing called security should be put on the hospital's network.. you know something from way the last 20 years would do.. or maybe have active sweeps of computers to detect misconfigurations.. My sister works in the medical industry and the "solutions" provided by technology consultants is shameful. Too bad the cost of the "solution" is not in par with the actual services rendered.

And people wonder why medical services are so expensive.

[ERK107]

I Just find that shocking that anything that has to deal with patient lives is not handled better with precautions such as a separate isolated network with no access whatsoever to the outside.

[dargon19888]

This is what happens when you get a bunch of non-technical people trying to run IT. They don't know enough to be paranoid and the staff being hired isn't properly trained to do the jobs.

Oh wait, its not just hospitals, but all of IT.

The bean counters save a couple of bucks a year, but at what cost? How much did TJX has to shell out? How much do you think a medical malpractice suit will cost when a piece of equipment fails and someone dies? Oh there's more, but then again, looking at our government, their top CIO was a political hack who couldn't run a city's IT dept....

[huckleberry2]

The cause of the NE blackout was determined and discussed ad nauseam.

The alarming subsystem failed in a unix-based scada system used by the utility company in Akron, OH (FirstEnergy). The problem persisted for over an hour. During this time, FirstEnergy?s system operators where unaware of the condition of their electric system and allowed transmission lines to overheat and sag into trees (due in part to FirstEnergy?s poor tree trimming practices). The instability of the electric system in Ohio caused overloads in adjacent services areas, which caused automatic protection systems on undamaged equipment to isolate itself from the grid. The cascading events moved north into Canada, around in the great lakes, and back into the northeast US, with the majority of the blackout occurring in ~9 seconds.

Specific software bugs were identified in the GE XA/21 scada system (used by FirstEnergy) which caused the initial failure of the alarm/event subsystem.

The cause of the blackout is known and was not related to an Internet worm. Please stop perpetuating this falsehood.

[pentest]

Who in the hell relies on Windows from critical systems?

If it is a critical system, it needs to be reliable, stable and secure. Three things Windows is not and never will be.

[willdryden]

I have found windows to be reliable and stable (except win ME). NO computer can be made secure if there is any human access. The only thing you can hope for is that your human resources dept. can weed out the people that will hurt your company and keep the system backed up just in case.

It only took me 2 hours to hack a VMS system one night when our stupid system manager edited the system startup file incorrectly and left town for the weekend. I got the call because I knew more about the OS than anyone else in the company.

[fwjs28]

somebody most likely sent a dos attack to the servers, and Microshit is trying to cover it up, and blame it on the ****** servers...DUH!